Seeking Solutions to the Privacy Challenges of Emerging Technologies Blair Stewart, Assistant Privacy Commissioner Presentation to NZ Computer Society, Wellington, 24 November 2005

Office of the Privacy Commissioner Technology Team

Origins of Privacy laws bound up with technology 1960s/70s – public concerns at computers and networks led to regulation of databases and ‘automatic processing of data’ NZ Example: Wanganui Computer Centre Act 1976

Origins of Privacy laws cont’d 1980s/90s – risks of inconsistent national privacy laws impeding transborder data flows led to common international principles NZ Example: Privacy Act 1993 repealed prescriptive 1976 Act and implements broad 1980 OECD principles

Origins of Privacy laws cont’d 1990s/2000s – new & converging technologies give rise to new wave of public concerns Consumer & citizen ‘trust’ central e.g. consumer mistrust as an inhibitor to e-commerce NZ Example: Government’s 2000 ‘e-vision’ acknowledged concerns that government might ‘know too much about people’ and ‘use that information inappropriately’ (safeguards were promised) NZ Privacy Act also provides data matching safeguards See also OPC UMR survey (September 2001, next slide)

Some current and emerging technology challenges to privacy Privacy issues can arise wherever personal information is processed, e.g.: – micro-level (e.g. genetic information) – national databases (e.g. the forthcoming ‘e- census’) –global (e.g. GPS, EPC/RFID, WHOIS) The International Working Group on Data Protection in Telecommunications offers a glimpse of technology and privacy issues

IWGDPT papers (2001/02/03) Data Protection aspects of digital certificates and public-key infrastructures Online Voting in Parliamentary and other Elections Privacy and location information in mobile communications services Web-based Telemedicine Use of unique identifiers in telecommunication terminal equipments: the example of Ipv6 Children’s Privacy On Line: The Role of Parental Consent Telecommunications surveillance Intrusion Detection systems (IDS) Privacy risks associated with introduction of ENUM service

IWGDPT papers (2004) Cyber Security Curricula Integrating National, Cultural and Jurisdictional (Including Privacy) Imperatives Means & Procedures to Combat Cyber-Fraud in a Privacy- Friendly Way Privacy & location information in mobile communications services Freedom of expression & right to privacy regarding on-line publications Privacy risks associated with wireless networks Privacy and processing of images and sounds by multimedia messaging services A future ISO privacy standard

IWGDPT some current topics (2005) Web browser caching in multi-user public access environments (cyber cafés) Speaker recognition and voice analysis technology Internet governance e.g. WSIS, WGIG, WHOIS Electronic health records Web-services Blogging Spam, Spy-ware RFID IP telephony (Voice over IP) Satellite technology for everybody’s desktop, geo-location technology

How are privacy commissioners (and others) responding to these challenges? The privacy commissioner ‘model’ is a multi-functional regulator combining: –Researcher and policy adviser –Educator –Rule maker –Investigator and dispute mediator (complaints ombudsman)

How are commissioners (and others) responding to these challenges? The elastic character of privacy, dynamic nature of technology and globalisation of information handling, make rigid and prescriptive solutions very difficult (and usually undesirable) Instead good privacy outcomes in the technology area are fostered by: –Better understanding the issues –Educating those involved –Building in privacy from the start

Understanding the issues Emerging technologies raise novel issues Commissioners try to understand the issues as early as possible by: –Keeping abreast of literature –Maintaining networks with technologists (one task of technology team) –Discussing issues, sharing experience (e.g. IWGDPT), using overseas commissioners as an advanced warning system –Promoting or undertaking research e.g. into privacy enhancing technologies (PETs)

Understanding issues, cont’d Others also researching the issues, and commissioners may collaborate e.g: –With academia e.g. UK ICO links with UMIST; VPC links with RMIT –With industry e.g. UK ICO links with HiSPEC; Ontario IPC work with PETTEP, IBM Privacy Research Institute External Advisory Board, joint projects with PWC

Educating those involved Privacy commissioners active in training and education e.g. Technology Team runs an occasional lunchtime ‘Technology & Privacy Forum’ (open to the public) and convenes an Information Matching Interest Group (public sector only) UK Commissioner had UMIST develop ‘Best Practice Guidance on Data Protection for Systems Designers’ (see HiSPEC site)

Privacy by design: building privacy in from the start Privacy commissioners internationally have called upon hardware and software manufacturers to incorporate privacy enhancing technologies – it is not just an issue for governments

Privacy by design cont’d Privacy impact assessment is recommended for new systems affecting the handling of personal information

Conclusions Technology and privacy are closely bound together We all want to make the most of new technologies However, we also want to preserve our privacy (some more than others) and protect our personal information Computer professionals have an important part to play in finding solutions to the new challenges

Some resources Office of the Privacy Commissioner IWGDPT Working Papers berlin.de/doc/int/iwgdpt/ berlin.de/doc/int/iwgdpt/ HiSPEC (Human issues in security and privacy in e-commerce) Privacy Enhancing Technology Testing & Evaluation Project (PETTEP) ID=1&P_ID=15495&U_ID=0 ID=1&P_ID=15495&U_ID=0

Any Questions?